Blog Posts Tagged with "Information Security"

Every time I read something regarding the core terminology in security and risk management, I start to question whether they really know what they’re talking about. Even worse, some speak with so many words and such arrogance, I start question whether I know what I’m talking about...

As my perspective in infosec comes from my role as a Cyberspace Operations Officer in the Air Force, where most people say “infosec” I say “cyber” and try to speak on the broader domain impacts, deterrence, sharing threat intelligence, education, and the importance of working together...

How do you teach paranoia and suspicion? We often hire people because of their willingness to help others, their good communication skills, their ability to be responsive, etc. As we work through securing our humans, we need to strike a balance – trust but verify, assist but not unquestioningly...

The same "good 'ol boys/girls" keep returning time and time again. When their terms are up, they "sit out a year" and then the next board nominates them as one of the BoD-recommended candidates. Keeping the same old board will result in a certification that continues to be disconnected...

You’re the new guy in the security ops team, they’re giving you a very crucial and important job… Monitoring. You’ll be told how it is essential to be done correctly. But you notice that nobody really shows any interest in doing it. There’s are two reasons for this...

If we are charged with designing, architecting, implementing, deploying, integrating, training and supporting security technology, processes and policies within our organization, we might discover that this work is really an art more than a science...

One of the big stories from this year’s BlackHat conference was Microsoft’s inaugural BlueHat contest which challenged researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. Katie Moussouris discusses...

Convenience vs. Security: My goal of not installing Flash and Java on a new system didn't last more than a few hours. Yet, as infosec professionals, following the disable unnecessary services philosophy, we advise not installing these types of applications for security reasons...

Learn about file versus whole disk encryption, as well as where keys are stored. Also learn to move the keys if you're going to wipe a drive. If I can offer anything to anyone about file encryption it would be to completely understand how it works before you play with live data...

Will all smartphone users feel comfortable transforming their them into wallets? What about security? What if you lose your phone and the person who finds it hacks into your accounts? Now, these cool capabilities don’t sound so impressive. In fact, there are some serious consequences...

It seems that when one “petitions” to run for the board, one must have the signatories send an email instead of just fill out their information on some excel sheet or online petition. If you are wanting to sign the petition for my being able to run for the BoD please email me...

Alex uncovered a poorly designed web page and convinced it to give up its secrets. What followed was a quick RDP war trying to plant our backdoor. I found myself with root level access having blasted away at it using Metasploit and uncovered several Easter eggs instructors had planted...

Enterprise security organizations can be their own worst enemies. Security is largely disconnected from the business, largely dependent on technology, and unable to be anything more than a cost center... and it seems like the more we rant and wave our arms the deeper the hole gets...

"Penetration testers, the guys that come onto the sites—they’re highly in demand... In terms of technology, I think these guys see security in a different light than other people. They sort of can see it as a whole picture. Penetration testers are looking at it in a completely different light...."

The common reason to push the security team over to the side or down the org chart is due to a belief that what they do isn’t a core value proposition for the company. By reinforcing the idea that security is low priority it creates impediments for the business and the security team to negotiate risk and work collaboratively...

The Information Security industry is rife with negativity. Why are we so quick to pile on to others' pain? Isn the security community just more cynical by nature, is it psychological? Are we wired this way? As an industry, our goal is to create more resilient, more secure' and more defensible postures for everyone...